Most developers know UFW blocks unwanted traffic. What they don't know is that Docker bypasses UFW entirely by rewriting iptables directly.
This in your docker-compose.yml:
ports:
- "5432:5432"
Exposes Postgres to the public internet. UFW never sees it. Your firewall rules don't matter.
The fix is one token:
ports:
- "127.0.0.1:5432:5432"
We ran this pattern against Trivy, Checkov, Semgrep, and Snyk. None of them catch it. It's a blind spot across every major IaC scanner.
So we built a rule for it — VGL-D001 — and open-sourced the scanner that runs it as a Claude Code hook, catching the exposure the moment you write the file.
vigilsec-io/cordon on GitHub
It runs as a PostToolUse hook in Claude Code — zero friction, catches IaC issues inline as you write them, not in CI after the fact.
Top comments (0)